Xen Project Hypervisor 4.12 Offers Smaller Code Size and Improved Security
Rachel Romoff | 02 April 2019
Major release makes Xen an attractive option for automotive and embedded technologies.
SAN FRANCISCO – April 2, 2019 — The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.12. This latest release adds impressive feature improvements around security and code size, x86 architectural renewal and additional updates making the technology ideal for embedded and automotive industries.
The leaner architecture in Xen 4.12 reduces the lines of code and in turn, reducing the potential for security vulnerabilities while making Xen an attractive option for use in mixed-criticality systems. Additionally, improving de-privileged QEMU, through defense-in-depth techniques, as well as improving VMI, reduces exposure to unknown security threats. This version of Xen will be more configurable, significantly reducing integration costs for business and organizations which customize Xen heavily. Additionally, Xen 4.12 continues to build upon previous versions regarding cleaner architecture, improved user experience, and future proofing.
“Xen Project Hypervisor 4.12 is a clear example of the project delivering on its promise for revamped architecture, a major step forward to unlock market segments such as security products as well as embedded and automotive,” said Lars Kurth, chairperson of the Xen Project Advisory Board. “As we continue to serve the hosting and cloud markets, we will also focus on streamlining the certification process for Xen while helping the security embedded automotive vendors that are invested in Xen continue to build attractive products on top of the hypervisor.”
Security & Code Size
The Xen 4.12 release builds upon the security features of previous releases, continuing Xen’s legacy of being the safest and most stable hypervisor for security-focused environments.
- HVM/PVH and PV only Hypervisor: The new Xen Project 4.12 release separates the HVM/PVH and PV code paths in Xen and provides KCONFIG options to build a PV only or HVM/PVH only hypervisor. This enables Xen based security products such as Qubes OS, Star Lab Crucible, & OpenXT to more easily build products with vastly reduced memory footprint and attack surface. In addition, the release enables cloud and hosting providers which do not offer support for PV guests to deploy HVM/PVH only hypervisors which in turn, increases security.
- QEMU Deprivilege (DM_RESTRICT): Xen’s previous three releases laid the groundwork for the QEMU Deprivilege, limiting the impact of security vulnerabilities that originate QEMU. In Xen 4.12, this feature has been vastly improved. The majority of restrictions and features have been implemented, improving security and readiness for wide-scale testing. Support for VM migration has also been added and defense-in-depth techniques using chroot, RLIMITs, and Linux namespaces which are used to protect against privilege escalations from QEMU to Xen and VM’s.
- Argo – Hypervisor-Mediated data eXchange: Argo is a new inter-domain communication mechanism that is designed for security, safety and mixed-criticality systems with isolation properties that go beyond those of existing inter-domain communication mechanisms. Argo is designed to be robust and simple to use correctly, securely and safely. In addition, Argo meets requirements for performance isolation between domains, to prevent negative performance impact from malicious or disruptive activity of other domains, or even other VCPUs of the same domain. It follows Multiple Independent Levels of Security/Safety (MILS) architecture foundational principles. Argo provides Xen hypervisor primitives to transmit data between VMs, by performing data copies into receive memory rings registered by domains. It does not require memory sharing between VMs and does not use grant tables or Xenstore.
- Improvements to Virtual Machine Introspection: The VMI subsystem which allows detection of 0-day vulnerabilities has seen many functional and performance improvements. Altp2m (see https://xenproject.org/tag/alt2pm/) and Intel #VE/VMFUNC support within the subsystem have been tuned and hardened. These two technologies reduce the performance overhead of Virtual Machine Introspection by 5% to 20% depending on workload.
x86 Architectural Renewal
The new Xen 4.12 features renew how x86 architecture support is implemented in Xen, a multi-year effort that is nearing completion.
- Credit 2 Scheduler: The Credit2 scheduler is now the Xen Project default scheduler. This Credit2 scheduler represents several years worth of effort to create the next-generation scheduler for Xen. It is designed specifically for performance of latency-sensitive workloads, as well as scalability and predictability.
- PVH Support: Grub2 boot support has been added to Xen and Grub2. These additions enable users to boot any PVH guest kernel via the grub menu. The updates to PHV also improves its stability.
- PVH Dom0: PVH Dom0 support has now been upgraded from experimental to tech preview. This upgrade, exclusive to Intel Hardware, resolves various bugs and features several improvements such as the new dom0-iommu=map-reserved option which can be used to work around broken firmware when using a PVH Dom0. Support for migrating domUs from a PVH dom0 has also been included.
The Project is working to make Xen more easily safety certifiable targeting embedded and automotive use-cases. These new upgrades will increase the viability of Xen for use in mixed-criticality systems.
- Dom0less VMs for statically partitioned systems: The new Xen 4.12 upgrade makes it possible to create and boot Arm VMs from Device Tree immediately after starting Xen. In traditional Xen environments, VMs can only be started after Dom0 kernel, user space and the toolstack are up and running. The upgrade decreases boot time by more than 90%. Dom0less VMs extend the usage of Xen to statically partitioned mixed-criticality systems. Xen is planning on extending the concept of Dom0less in subsequent releases to allow building Xen Systems entirely without a Dom0. This, in turn, will reduce the cost of safety certification significantly.
- Tiny Arm Configurations: The Xen 4.12 upgrade allows users to build a tiny Arm configuration with less than 50 KSLOC, which in turn reduces the cost of safety certification for Xen based systems. This new functionality allows building Xen variants for specific hardware such as Renesas RCar 3 and Xilinx Ultrascale+ MPSoC with a minimal set of drivers and features that are needed for mixed-criticality systems.
Additional Technical Features
The new Xen 4.12 upgrade also includes improved IOMMU mapping code, which is designed to significantly improve the startup times of AMD EPYC based systems.
The upgrade also features Automatic Dom0 Sizing which allows the setting of Dom0 memory size as a percentage of host memory (e.g. 10%) or with an offset (e.g. 1G+10%).
Comments from Xen Project Users and Contributors:
“With today’s introduction of the hypervisor-mediated exchange protocol Argo, Non-bypassable and Always-invoked (NEAT) properties are now possible with the Xen hypervisor,” said Daniel P. Smith, Chief Technologist at Apertus Solutions. “Early separation kernel concepts were defined in the 1980’s by John Rushby’s seminal work, extended by Jim Alves-Foss for virtual systems, and distilled into NEAT properties for Multiple Independent Levels of Separation (MILS) systems. Apertus Solutions looks forward to future Xen Security Modules (XSM) type assertion capabilities that only a hypervisor-mediated exchange protocol like Argo can deliver on a per-message basis, on the trusted computing foundations of DRTM, TrenchBoot, disaggregated Xen and OpenXT.”
Assured Information Security
“Argo is a robust inter-VM communication protocol for Xen with emphasis on security and isolation for trusted systems,” said Rich Turner, Principal Engineer, SecureView, Assured Information Security. “Assured Information Security (AIS) is committed to advancing the support and implementation of Argo in secure products and services. As long-standing supporters and contributors of OpenXT, AIS is excited by the security advancements that Argo provides to Xen and downstream projects like OpenXT. Our customers count on secure isolation and communication within our products and Argo will further our ability to deliver secure, safe, and mission-critical products.”
“As a member of the Advisory Board, we are fully committed to supporting Xen Project. We are impressed with the technological advancements the Xen Project team introduced with the Xen 4.12 release and look forward to contributing to the future success of the project,” said Mihai Donțu, Chief Linux Officer at Bitdefender. “The new functionality developed in Virtual Machine Introspection (VMI) is enhancing the overall performance of purposely built security solutions that take advantage of this subsystem. Bitdefender Hypervisor Introspection is leveraging the VMI subsystem to defend virtual machines against zero-day exploits and is using Altp2m and #VE to improve the solution performance.”
“With its 4.12 release, the Xen Project Hypervisor builds upon its already strong foundations of dependable workload isolation and cutting edge security features,” said James Bulpin, Senior Director, Technology, Citrix. “By delivering on QEMU de-privilege, and enabling integrators to optionally exclude code for unused virtualization modes, Xen 4.12 exhibits valuable defense-in-depth, and attack surface minimization qualities. These capabilities enable Citrix Hypervisor, which uses Xen at its core, to deliver dependable security to our cloud, server, and desktop virtualization customers.”
“As a long time proponent of embedded virtualization for commercial and safety-critical applications, DornerWorks is excited by the continued focus of the Xen community on not only large server clusters but also on the smaller embedded systems that we rely on every day,” said Steven H. VanderLeest, Ph.D, Chief Operating Officer at DornerWorks. “We are especially pleased with the release of Dom0less boot and configuration options to reduce ARM code size, which will help reduce the certification and maintenance burden while improving Xen’s boot time and performance.”
“The latest release of Xen Hypervisor is the first step towards functional safety regulation compliance, reducing external non-compliant component dependency and introducing minimal code footprint configuration. These changes enable the usage of Xen Hypervisor in complex, mixed-safety automotive systems, such as digital cockpits or communication gateways,” said Alex Agizim, CTO, Automotive & Embedded Systems, EPAM.
“The release of Xen 4.12 enables Star Lab to continue delivering Crucible, our highly performant and secure virtualized solution for tactical virtualization,” said Irby Thompson, CEO of Star Lab. “Xen 4.12 helps reduce the size of the core hypervisor, while further isolating control logic from the guests, increasing security benefits for Star Lab and our customers. Additionally, Xen 4.12 will enable Star Lab to continue the development of hypervisor offerings for its ARM platform customers. Star Lab is looking forward to collaborating with the Xen community on additional dom0less and tiny ARM developments.”
“Reducing the Xen code size, its complexity, moving more parts away from Paravirtualization (PV), and making optional features configurable at build time is hugely beneficial in terms of reducing attack surface,” said Marek Marczykowski-Górecki, Qubes OS project leader. “We look forward to using Xen 4.12 in the next Qubes OS release to even better utilize hardware virtualization and provide secure client environment.”
“We at SUSE have been supporting Xen as a high end, reliable technology since the very beginning of virtualization support in our enterprise products, “said Jiri Kosina Director, SUSE Labs Core. “Therefore we are very happy to see that this new hypervisor release is, once again, expanding the set of features that meet the rapidly growing demand of the current virtualization market.”
“Xilinx is excited to see the new features introduced by the Xen development team for the 4.12 release, especially the new Dom0-less fast boot combined with the code size reductions targeting Xilinx Zynq UltraScale+ MPSoC,” said Simon George, Director of System Software and SoC Solution Marketing at Xilinx. “These features, along with the earlier null scheduler, allow Xen to better serve diverse, embedded use cases. We look forward to Xen’s roadmap for continued work on new features for these markets.”
- Xen Project Hypervisor technical blog
- Xen Project 4.12 release information
- Xen Project Hypervisor version 4.12 download
About the Xen Project
Xen Project software is an open source virtualization platform licensed under the GPLv2 with a similar governance structure to the Linux kernel. Designed from the start for cloud computing, the Project has more than a decade of development and is being used by more than 10 million users. A project at The Linux Foundation, the Xen Project community is focused on advancing virtualization in a number of different commercial and open source applications including server virtualization, Infrastructure as a Services (IaaS), desktop virtualization, security applications, embedded and hardware appliances. It counts many industry and open source community leaders among its members including Alibaba, Amazon Web Services, AMD, Arm, Bitdefender, Citrix, Huawei, Intel, and Oracle. For more information about the Xen Project software and to participate, please visit XenProject.org.
Intel and Xeon are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
About Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.